This chapter covers AWS Certificate Manager (ACM), a service that simplifies the provisioning, management, and deployment of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. For the CLF-C02 exam, this falls under Domain 2: Security and Compliance, Objective 2.3: Describe the security and compliance benefits of AWS services. Although not a major percentage, understanding ACM is critical because it directly supports secure communications—a fundamental security requirement. You will learn how ACM works, its integration with other AWS services, and common exam traps.
Jump to a section
Imagine you run a hotel. Each guest room has a unique key that proves the guest is authorized to enter. But how does a guest know the key they have is genuine? Your hotel uses a master key system managed by a trusted locksmith (a Certificate Authority, or CA). When a guest checks in, the front desk gives them a key card that is digitally signed by the locksmith. The guest can verify the signature by checking the locksmith's public directory. In AWS Certificate Manager (ACM), you request a certificate (the key card) from a trusted CA (the locksmith). ACM can either issue the certificate itself (using its own CA) or import a certificate from an external CA. The certificate binds a domain name (the room number) to a public key (the key). When a visitor's browser connects to your website, the server presents the certificate. The browser verifies the certificate's validity by checking the CA's signature and the certificate's expiration date. ACM automates the renewal process, so you don't have to manually replace expired certificates. Just like the hotel automatically issues new key cards when guests extend their stay, ACM can automatically renew certificates if you use DNS validation. This ensures your website's HTTPS connection remains trusted without manual intervention.
What is AWS Certificate Manager (ACM) and the Problem It Solves
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are digital certificates that enable encrypted communication between a client (like a web browser) and a server. They are essential for HTTPS, which secures data in transit.
Before ACM, managing certificates was a manual, error-prone process. You had to generate a Certificate Signing Request (CSR), submit it to a Certificate Authority (CA), wait for validation, install the certificate on your server, and track expiration dates. If a certificate expired, your website would show security warnings, driving away customers. ACM automates these tasks, reducing the risk of human error and saving time.
ACM integrates natively with several AWS services, including:
Elastic Load Balancing (ELB) – Application Load Balancer (ALB), Network Load Balancer (NLB)
Amazon CloudFront – content delivery network
Amazon API Gateway – for REST and WebSocket APIs
AWS Elastic Beanstalk – for web applications
AWS CloudFormation – for infrastructure as code
AWS Nitro Enclaves – for secure enclaves
ACM does not support using certificates directly on Amazon EC2 instances (you must export or use a different solution). This is a common exam trap.
How ACM Works – The Mechanism
ACM operates in two modes: public certificates and private certificates.
Public Certificates: ACM acts as a public Certificate Authority (CA) trusted by major browsers and operating systems. When you request a public certificate, ACM handles the entire lifecycle: 1. Request: You specify the domain name(s) you want to secure (e.g., example.com, www.example.com). You can request a certificate for a fully qualified domain name (FQDN) or a wildcard (e.g., *.example.com). 2. Validation: You must prove you own or control the domain. ACM supports two validation methods: - DNS validation: You add a specific CNAME record to your DNS configuration (e.g., in Amazon Route 53 or another DNS provider). ACM checks for this record to confirm ownership. - Email validation: ACM sends validation emails to three addresses for each domain: administrator@, hostmaster@, postmaster@, plus one WHOIS contact. You must click a link in the email. 3. Issuance: Once validated, ACM issues the certificate from its trusted CA (Amazon Trust Services). The certificate is stored in ACM and is automatically renewed if you use DNS validation and the CNAME record remains in place. 4. Deployment: You associate the certificate with an integrated AWS service (e.g., ALB listener). ACM automatically deploys the certificate to the service. 5. Renewal: ACM attempts to renew certificates 60 days before expiration. For DNS validation, renewal is automatic if the CNAME record exists. For email validation, you must re-approve manually.
Private Certificates: ACM Private Certificate Authority (ACM PCA) allows you to create a private CA hierarchy to issue certificates for internal use (e.g., for internal applications, IoT devices, or code signing). These certificates are not trusted by public browsers. You can issue certificates for internal domain names like internal.example.com. ACM PCA is a separate service with its own costs.
Key Tiers, Configurations, and Pricing
Public certificates provisioned through ACM are free. You only pay for the AWS resources that use them (e.g., load balancers, CloudFront distributions). However, if you import your own certificate into ACM, you are charged a monthly fee per certificate (currently $0.75/month per certificate after the first 1,000 imported certificates, but check current pricing).
ACM PCA has costs for:
Monthly fee for each private CA (monthly, prorated hourly)
Per-certificate issuance fee
Optional: fees for creating and managing subordinate CAs
Limits: - Default limit of 2,500 public certificates per AWS account per region (soft limit, can be increased) - Maximum certificate chain length: 5 (including the root CA) - ACM public certificates have a maximum validity of 13 months (395 days) as of 2020 (industry standard). Private certificates can have longer validity. - ACM supports RSA 2048, RSA 4096, and Elliptic Curve (EC) keys.
Comparison to On-Premises or Competing Approaches
Traditionally, you would purchase certificates from a public CA like DigiCert or Let's Encrypt. Let's Encrypt provides free certificates but requires automated renewal via the ACME protocol. ACM simplifies this by integrating directly with AWS services. With ACM, you don't need to manage certificate files or renewal scripts. The trade-off is that ACM certificates cannot be exported for use on non-AWS resources (except for use with AWS CloudFront via a special export). If you need a certificate for an EC2 instance, you must either use ACM PCA (which allows export) or purchase a certificate from another CA.
When to Use ACM vs Alternatives
Use ACM public certificates when you need a TLS certificate for an AWS-integrated service (ALB, CloudFront, API Gateway). It's free and automates renewal.
Use ACM PCA when you need private certificates for internal resources (e.g., internal APIs, device authentication) or when you need to issue certificates programmatically.
Use third-party certificates when you need to use the certificate on non-AWS resources (e.g., on-premises servers) or when you need specific features not supported by ACM (e.g., extended validation certificates).
Use AWS CloudHSM if you need to store private keys in a hardware security module for compliance.
Exam-Focused Details
ACM certificates are regional. If you need the same certificate in multiple regions, you must request a certificate in each region. Exception: CloudFront requires certificates in US East (N. Virginia) region.
ACM supports wildcard certificates (*.example.com), but the wildcard only covers one level (e.g., *.example.com covers sub.example.com but not sub.sub.example.com).
ACM does not support certificates for IP addresses; only domain names.
ACM integrates with AWS CloudFormation to create and manage certificates.
Automatic renewal only works with DNS validation; email validation requires manual action.
ACM can be used with AWS Certificate Manager Private Certificate Authority to issue certificates for AWS IoT, Elastic Beanstalk, and other services.
Code Example: Requesting a Certificate via AWS CLI
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--subject-alternative-names www.example.com \
--idempotency-token 1234This command returns a certificate ARN. Then you can describe the certificate to get the CNAME record for DNS validation:
aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc-123CloudFormation Example
Resources:
MyCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: example.com
SubjectAlternativeNames:
- www.example.com
ValidationMethod: DNSThis creates a certificate that requires manual DNS validation (you must add the CNAME record to your DNS zone).
Request a Public Certificate
Open the ACM console at https://console.aws.amazon.com/acm/. Click 'Request a certificate'. Choose 'Request a public certificate'. Enter your domain name (e.g., example.com). You can add additional names like www.example.com under 'Add another name to this certificate'. ACM supports fully qualified domain names (FQDNs) and wildcards (e.g., *.example.com). For validation method, choose DNS validation (recommended) or email validation. DNS validation is automated and allows automatic renewal. After submitting, ACM creates a certificate request with status 'Pending validation'.
Validate Domain Ownership
If you chose DNS validation, ACM provides a CNAME record that you must add to your DNS configuration. For example, if your domain is example.com, ACM might give a CNAME name like _x1.example.com pointing to _x2.acm-validations.aws. You add this record to your DNS provider (e.g., Route 53 hosted zone). If you use Route 53, you can click 'Create record in Route 53' in the console. ACM periodically checks for the record. Once found, the certificate status changes to 'Issued'. For email validation, ACM sends emails to administrator@, hostmaster@, postmaster@, and the WHOIS contact. You click the approval link within 72 hours.
Associate Certificate with a Service
After the certificate is issued, you can associate it with an integrated AWS service. For example, to use it with an Application Load Balancer: go to the EC2 console, select your ALB, and under 'Listeners', edit the HTTPS listener to use the ACM certificate. You select the certificate from a dropdown. ACM automatically deploys the certificate to the load balancer. The ALB will now present this certificate to clients. Similarly, for CloudFront, you associate the certificate with the distribution's viewer protocol policy. Note: CloudFront requires the certificate to be in the US East (N. Virginia) region.
Monitor and Renew Certificates
ACM automatically renews public certificates that use DNS validation. It attempts renewal 60 days before expiration. If the DNS CNAME record is still present, ACM issues a new certificate and replaces the old one on the associated services automatically. For email-validated certificates, ACM sends renewal notices 45 days before expiration, but you must manually approve via email. You can monitor certificate expiration in the ACM console or via AWS Config rules (e.g., acm-certificate-expiration-check). Set up CloudWatch alarms to notify you of upcoming expirations. If a certificate expires, the associated service will stop accepting HTTPS connections.
Delete or Export a Certificate (if needed)
To delete a certificate, you must first remove all associations with AWS services. In the ACM console, select the certificate and choose 'Delete'. You cannot export ACM-issued public certificates for use outside AWS. However, you can export certificates from ACM Private CA (PCA) using the AWS CLI or SDK. For example: aws acm-pca get-certificate --certificate-arn arn:aws:acm-pca:... --output text. Exported certificates include the private key only if you used a supported key algorithm (RSA 2048, RSA 4096, EC). Note: Exporting a certificate from ACM PCA incurs no additional cost beyond the PCA fees.
Scenario 1: E-commerce Website on AWS
A medium-sized e-commerce company runs its website on EC2 instances behind an Application Load Balancer. They need HTTPS to secure customer transactions. The team uses ACM to request a public certificate for their domain (shop.example.com). They choose DNS validation because they use Route 53 for DNS. ACM automatically validates and issues the certificate. They then associate the certificate with the ALB's HTTPS listener. The ALB terminates TLS, so the backend EC2 instances communicate via HTTP internally (or they can use a second certificate for internal encryption). The certificate is automatically renewed every 13 months, so the team never has to worry about expiration. Cost: The certificate is free; they only pay for the ALB and EC2 instances. If they had used a third-party CA, they would pay $50–$300 per year per certificate and would need to manually renew and install.
Scenario 2: Internal Microservices with Private Certificates
A financial services company has multiple internal microservices communicating over a private network. They need TLS to encrypt traffic between services. They use ACM Private Certificate Authority to create a private CA. They issue certificates for each microservice's internal DNS name (e.g., payments.internal.example.com). They use AWS CloudMap or internal Route 53 to resolve names. The certificates are deployed on EC2 instances using an automation script that calls the ACM PCA API to issue and export certificates. Because the certificates are private, they are not trusted by public browsers, but within the company's trust store, they are valid. This approach is cheaper than buying public certificates for internal names and allows for automated issuance and renewal. Cost: Monthly fee for the private CA ($400/month for the first CA, plus per-certificate fees). This is acceptable for a company with many internal services.
Scenario 3: Misconfiguration Leading to Outage
A startup uses ACM with email validation for their main domain. They receive an email for validation and approve it. The certificate is issued and associated with their CloudFront distribution. After 11 months, the certificate is due for renewal. ACM sends renewal emails, but the startup's email server filters them as spam. The team misses the renewal deadline. The certificate expires, and users see a 'Your connection is not private' warning. Traffic drops by 40% until they manually request a new certificate and update the CloudFront distribution. This could have been avoided by using DNS validation, which automates renewal without email intervention. The lesson: always prefer DNS validation for production workloads.
Cost Considerations
Public ACM certificates are free; you pay for the underlying services (ALB, CloudFront, etc.).
Imported certificates cost $0.75/month each (after the first 1,000, but check current pricing).
ACM PCA costs $400/month per private CA (prorated hourly) plus $0.75 per certificate issued per month (first 1,000 certificates per month are free).
There are no data transfer costs for ACM itself.
What Goes Wrong When Misconfigured
Wrong region: Requesting a certificate in one region but trying to use it in another (except CloudFront which requires us-east-1).
Wildcard mismatch: Using *.example.com for subdomain.example.com (works) but for sub.sub.example.com (does not work).
Validation failure: Not adding the CNAME record correctly (e.g., missing trailing dot).
Expired certificate: Not monitoring expiration or using email validation without manual renewal.
Association issues: Trying to associate a certificate with an EC2 instance directly (not supported).
What CLF-C02 Tests on This Objective
Objective 2.3 (Describe the security and compliance benefits of AWS services) includes understanding how ACM helps secure data in transit. The exam expects you to know:
ACM provides free public SSL/TLS certificates for use with AWS services.
ACM automates certificate renewal (if using DNS validation).
ACM integrates with ELB, CloudFront, API Gateway, and Elastic Beanstalk.
ACM cannot be used directly on EC2 instances (you must use a different method).
ACM certificates are regional (except CloudFront requires us-east-1).
ACM supports wildcard certificates.
Common Wrong Answers and Why Candidates Choose Them
'ACM certificates can be exported for use on EC2 instances.' – Wrong. ACM public certificates cannot be exported. Candidates think because it's a certificate, you can download it. Reality: Only ACM PCA allows export.
'ACM automatically renews all certificates regardless of validation method.' – Wrong. Automatic renewal only works with DNS validation. Email validation requires manual action. Candidates assume automation is universal.
'ACM certificates are valid for 3 years.' – Wrong. The maximum validity is 13 months (395 days) due to industry standards. Candidates may confuse with older practices.
'You need to pay for ACM public certificates.' – Wrong. Public certificates provisioned through ACM are free. Candidates may think nothing is free on AWS.
'ACM can be used to secure any website, even on-premises.' – Wrong. ACM certificates can only be used with integrated AWS services; they cannot be installed on external servers.
Specific Terms and Values That Appear Verbatim
'DNS validation' vs 'Email validation'
'13 months' (or '395 days') – certificate validity
'Wildcard certificate' – for multiple subdomains
'Regional' – certificates are per-region
'Integration with CloudFront requires us-east-1'
'ACM Private Certificate Authority (ACM PCA)'
'Automatic renewal' – only with DNS validation
Tricky Distinctions
ACM vs AWS Certificate Manager Private Certificate Authority: ACM is for public certificates (trusted by browsers) and private certificates (via PCA). PCA is a separate service with its own costs.
ACM vs AWS CloudHSM: ACM manages certificates; CloudHSM manages hardware security modules for key storage.
ACM vs AWS Secrets Manager: ACM stores certificates; Secrets Manager stores secrets like database passwords. Both can store secrets, but ACM is specifically for TLS certificates.
ACM vs IAM Server Certificates: IAM can store server certificates for use with Elastic Load Balancing, but this is legacy. ACM is the modern, preferred method.
Decision Rule for Multi-Choice Questions
When you see a question about SSL/TLS certificates on AWS:
If it mentions 'free', 'automated renewal', 'integration with ALB/CloudFront', think ACM.
If it mentions 'export certificate', 'private CA', 'internal certificates', think ACM PCA.
If it mentions 'EC2 instance directly', the answer is probably not ACM (use a third-party certificate or ACM PCA export).
If it mentions 'multiple regions', remember you need separate certificates per region (except CloudFront).
If it mentions 'validation', DNS is automatic; email is manual.
Elimination strategy: Remove answers that say ACM certificates are paid, can be exported, or work with EC2 directly.
ACM public certificates are free and automatically renewable when using DNS validation.
ACM integrates natively with ALB, NLB, CloudFront, API Gateway, and Elastic Beanstalk.
ACM certificates are regional; you need separate certificates per region (except CloudFront requires us-east-1).
ACM does not support direct installation on EC2 instances; use ACM PCA or third-party certificates.
DNS validation is preferred over email validation because it enables automatic renewal.
ACM supports wildcard certificates (*.example.com) but only for one level of subdomain.
ACM PCA allows you to create private certificates for internal use and supports export.
Imported certificates incur a monthly fee; ACM-issued public certificates are free.
Certificate validity is 13 months (395 days) for public certificates; private certificates can be longer.
ACM can be used with AWS CloudFormation and AWS CLI for automation.
These come up on the exam all the time. Here's how to tell them apart.
ACM Public Certificates
Free of charge (no per-certificate fee)
Trusted by public browsers and devices
Cannot be exported for external use
Automatic renewal with DNS validation
Maximum validity of 13 months
ACM Private Certificate Authority (PCA)
Cost: $400/month per private CA plus per-certificate fees
Not trusted by public browsers (trusted only within your organization)
Certificates can be exported (private key included)
Manual renewal or custom automation required
Can set custom validity periods (up to 10 years)
Mistake
ACM certificates can be used on any web server, including on-premises.
Correct
ACM public certificates can only be deployed to integrated AWS services (ELB, CloudFront, API Gateway, Elastic Beanstalk). They cannot be exported and installed on external servers. For on-premises use, you need a third-party certificate or ACM PCA (which allows export).
Mistake
ACM automatically renews all certificates without any action.
Correct
Automatic renewal only works for certificates validated via DNS validation. For email validation, you must manually approve renewal emails. If you don't, the certificate will expire.
Mistake
ACM certificates are free, but you must pay for each certificate you request.
Correct
Public certificates provisioned through ACM are completely free. You only pay for the AWS resources that use them (e.g., load balancers). However, if you import your own certificate, you pay a monthly fee per certificate.
Mistake
You can use the same ACM certificate in multiple AWS regions.
Correct
ACM certificates are regional. You must request a certificate in each region where you need it. The only exception is CloudFront, which requires the certificate to be in US East (N. Virginia) region.
Mistake
ACM supports certificates for IP addresses.
Correct
ACM only supports certificates for domain names (FQDNs and wildcards). It does not support certificates for IP addresses. For IP-based certificates, you must use a third-party CA.
No, you cannot. ACM public certificates cannot be exported and installed directly on EC2 instances. ACM is designed to work with integrated AWS services like ELB, CloudFront, and API Gateway. For EC2 instances, you have two options: (1) Use a third-party certificate (purchase from a public CA and install manually), or (2) Use ACM Private Certificate Authority (PCA) to issue a certificate that can be exported and then installed on the instance. Note that ACM PCA has additional costs.
Automatic renewal occurs only for certificates that were validated using DNS validation. ACM will attempt to renew the certificate 60 days before expiration. If the DNS CNAME record that was used for validation is still present, ACM will automatically issue a new certificate and deploy it to the associated services. For email-validated certificates, you must manually approve renewal via email. To ensure automatic renewal, always use DNS validation when requesting a certificate.
Yes, public certificates provisioned through ACM are free. You only pay for the AWS resources that use the certificate (e.g., Application Load Balancer, CloudFront distribution). However, if you import your own certificate into ACM, you are charged a monthly fee per imported certificate (currently $0.75/month after the first 1,000, but check current AWS pricing). ACM Private Certificate Authority (PCA) has separate charges for the CA and per certificate.
No, ACM certificates are regional. You must request a certificate in each AWS region where you need it. The only exception is Amazon CloudFront, which requires the certificate to be in the US East (N. Virginia) region (us-east-1) to be used with a CloudFront distribution. If you need a certificate for an ALB in multiple regions, you must request a certificate in each region.
ACM supports two validation methods: DNS validation and email validation. DNS validation requires you to add a CNAME record to your DNS configuration. It is the preferred method because it enables automatic renewal. Email validation sends approval emails to administrator@, hostmaster@, postmaster@, and the WHOIS contact for the domain. You must click the link in the email within 72 hours. Email validation requires manual renewal.
AWS Certificate Manager (ACM) is the service that provisions and manages public SSL/TLS certificates that are trusted by browsers. It is free and integrates with AWS services. ACM Private Certificate Authority (ACM PCA) is a separate service that allows you to create a private CA hierarchy to issue certificates for internal use (e.g., for internal applications, IoT devices). ACM PCA certificates are not publicly trusted and can be exported. ACM PCA has costs associated with the CA and each certificate issued.
ACM public certificates have a maximum validity of 13 months (395 days). This is in line with industry standards set by the CA/Browser Forum. ACM will attempt to renew the certificate automatically 60 days before expiration if DNS validation was used. Private certificates issued by ACM PCA can have custom validity periods up to 10 years.
You've just covered AWS Certificate Manager (ACM) — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?